If you were a world-class educational institution with a reputation for excellence in computing disciplines, would you store the sensitive personal data of thousands of students and alumni in an unprotected spreadsheet? According to some reports, UC Berkeley did exactly that and have since suffered a data theft at the hands of hackers. The potential victims include students, staff and their families dating back to 1999.

On a site set up by the university to provide information to those affected by the breach, UC Berkeley admits that ‘overseas criminals’ gained access to systems shared by UC Berkeley and Mills College. The compromised systems contained data including social security numbers and personal medical information including health insurance details of thousands of students and alumni. What is less clear is how hackers were able to infiltrate the systems and what, if any, safeguards were in place to protect the data.

ChannelWeb reports that the records were stored in an unprotected spreadsheet rather than, for example, in an encrypted database. The UC Berkely site refers to ‘databases’, but does not go into specifics of how the data was stored. IT administrators at Berkely only became aware of the breach when they noticed taunting messages left by the hackers.

The university deeply regrets exposing our students and the Mills community to potential identity theft. The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks.

To be fair to UC Berkely, they have at least admitted the problem and have taken steps to alert all of those affected, offering advice on how to protect themselves from identity theft. The FBI have also been notified about the attacks, which UC Berkely believe originated outside of the US. The university has also set up a 24-hour ‘Data Theft Hotline’ for victims of the potential data theft.